Back to Blog

Endre Sara

Microservices in the Real World: How We Used Red Hat Universal Base Image 8 to Secure Our Containers

Microservices are all well and good, but these are just our modern day applications. And all applications, especially enterprise applications need to be secure. In my previous post I talked about how we were able to dynamically manage Java memory for each of the processes running in our re-architected microservices application. This was just one example of the realities we face when building an enterprise microservices application. We re-architected our application to scale with and automate some of the world’s largest hybrid cloud estates. With that kind of responsibility, every service of this application must be secured.

Challenge: How do you secure containers for the enterprise applications, but keep things simple for your Developers?

A Docker base image is an operating system user space minus the kernel. You can have common base images for various applications, which are created by adding that specific application runtime (such as MySQL) inside the user space. It’s on Developers to choose a base image when they’re building an app in a container. The challenge is choosing a base image that gets you the functionality that you need, but gives you the security that is required.

Open source has the benefit of offering a plethora of stuff fast, but you have to be aware of the consequences of the code you choose. This is especially true when your customer base includes over 20% of the Fortune 500.

We started with packaging our software as containers with Ubuntu, which was not secure enough. Ubuntu is an easy first choice for a base image as it provides bleeding edge functionality, but enterprise security is not the focus of the latest ubuntu images.

We tried Alpine as a lightweight option, but there were too many issues with finding compatible dependent libraries and making sure that our software works with them. After trying a couple of times we gave up.

Then we tried Red Hat Enterprise Linux 7, which had the right level of security, but it is only distributable when running on RHEL environments. This is true for almost all of our large financial customers, but not for every segment of the market or for midsize and smaller environments.

Solution: Red Hat Universal Base Image. It’s designed to be easy to use, has strong security capabilities, and is built for the enterprise customer.

In May of this year, Red Hat announced the Red Hat Universal Base Image. UBI is a freely redistributable container base image based on RHEL 8, including security and functionality needed for containerized microservices applications. Basically, you get the benefits and security capabilities of enterprise Linux, but without the things you don’t actually need for containers. This is a great contribution from Red Hat. They’ve taken on the burden of assessment and ongoing maintenance of security vulnerabilities to support UBI so that Developers have an easier way to build more secure applications that can confidently be deployed in the enterprise.

We switched to UBI 8 and moved both our open source software as well as our ISV images to be packaged on top of the UBI 8 base images. For example, we have been able to use the ubi8-minimal image in our Prometheus and Kubernetes integrations. 

Prometurbo allows our software to pull application response time and transaction metrics from Prometheus into our analytics engine, which then stitches that data to our full-stack analysis to automatically manage application resources to automatically and continuously meet customer’s service level objectives. Check out this video here to learn more: Assuring Application SLOs with Turbonomic.

Likewise, KubeTurbo allows our software to discover CPU and Memory limits, requests, utilization, as well as namespaces, affinity/anti-affinity labels, etc. Our analytics then use this data to automatically determine the right Kubernetes resource decisions at the right time to continuously assure application performance. And since our platform integrates with every layer of the stack (see all Turbonomic integrations), it does so with a full understanding of the underlying infrastructure. You can learn more about our Kubernetes support here.

The bottom line is that these images are part of continuously and automatically assuring the performance of our customers' business critical applications. Our customers put a lot of trust in our software. It has to be secured.

Results: Our developers focus on features and functionality; our customers get the security they expect of a platform running their business-critical applications.

With Red Hat UBI we get enterprise-grade security capabilities, while our Developers can focus on what they do best: building applications. We can deploy our code without modification, including java components, database components, logging and web components because UBI provides the dependent libraries and also continuously maintains them to address security vulnerabilities by bringing updates without breaking compatibility.

Customers can verify the security of these images by scanning them and they can deploy these container images without incurring additional software licensing costs.

Thank you, Red Hat.